LMeve dev blog: security, guidelines and a handful of new features

In the last couple of weeks I focued on polishing LMeve. Especially that the project has a new contributor, who is both user and developer at the same time 😉 Say hello to @MarqAideron from Stay Frosty!

Security & CCP Guidelines

About two weeks ago @FuzzySteve suggested that EVE third party devs should use nonce values (also known as CSRF tokens) in all their web apps.

What’s that? Well, it’s a security mechanism, and a quite important one, too.

Let’s assume you are an admin of an open source web application (whether it’s a forum, blog or anything else). You log in to that application (of course using secure HTTPS protocol and a very secure password). Application then creates a random session identifier, verifies if user is connecting using secure connection and verifies the credentials. Then website then sends the session identifier back to the web browser in a cookie file. Each time you navigate around your app, web browser sends the cookie file to the server, so server knows which user he’s talking to.

Now let’s assume a hacker wants you to create an account for him in your app. Of course he can’t simply ask you to do it, but he knows your app, becuase it’s open source. He doesn’t know your password, or your session cookie, because it’s completely random. But he does know that adding a user in your app is done by this URL: https://your-app.com/?action=adduser&user=hacker_login&pass=1eK4Gaq4gj$g==

All the hacker needs to do, is make you open this URL while your web browser is logged to the application, for example by sending you an email with some embedded images. However, one of the images addresses is not an image at all: it will be the URL which creates a new account! What does your browser do when you open such email? It will attempt to load all images be default, including the crafted URL. It’s your browser, so it knows the session cookie for your application. Server will belive this is a genuine request coming from you, and application will create the account for the hacker! I don’t have to tell you what happens next. This is an attack known as Cross-site Request Forgery, or CSRF in short.

How to protect against this?

First: use POST in your forms instead of GET. This will make it harder for the hacker, because he won’t be able to use a simple URL to deceive the user (he will need a web form to send the crafted request).

Second: add a random hidden field in all your forms. When you draw the form for the user, you add a field with random “token” value. Save this token on the server side (it can be a session variable or a record in database). It should also have a short expiration timeout. so it cannot be used if it was somehow intercepted by the hacker. When user fills in the form and submits it, you verify if the value sent by the user is equal to the one you saved earlier. If both values are the same, request is considered genuine ,and otherwise it should be ignored.

CCP Bugartist followed on the conversation started by @FuzzySteve, and suggested a way to generate the CSRF tokens using openssl:

Don’t abuse the API, or else…

A few days later CCP FoxFour suggested adding an User-Agent field in third party apps, because instead of banning API (ab)users, CCP would prefer to contact the developer instead.

LMeve poller already used context setup in file_get_contents() so I simply added User-Agent field to it. Op success!

LMeve new features!

Ok, end of technicalities, let’s get down to business 😉 Last two weeks saw three new features added.

API character Self-register

This one was well overdue. I have mentioned it for the first time about a year ago. Why is it important? By default, LMeve doesn’t know which in-game characters belong to which person. This information is useful, because LMeve can then highlight the information regarding user’s characters, or simply limit the amount of information displayed only to these characters.

Previously only people with “Administrator” permission were able to link LMeve accounts to in-game characters, but with this new feature everyone can do it now. And it’s very simple, too.

First, input your account level API KEY first. If you don’t have a key ready, simply follow the link.

api-self-linkWhen ready, user clicks OK. LMeve will now access personal API (just this one time) to download the characters. Then it will compare the corporations these characters belong to with corporation that owns this particular instance of LMeve. When corporations match, LMeve will check if these toons are already visible in corporation API. If all checks are green, characters become linked to the account:

api-self-link2Simple, eh? And no administrator input is needed.

This will become even more important when EVE SSO becomes openly available, because once characters are linked to the account, users will be able to use their EVE Online password to log in to LMeve. there will be no need to remember another password!

Industry Facilities and Logistics

Everyone who’s done some industry in EVE knows just how important logistics are. Without ingredients corporation cannot invent or produce anything, so a constant flow of materials is the only way to keep productivity high (and this in turn directly impacts the amount of ISK earned).

Previously I’ve added a way for users to track the materials needed for their specific tasks, so users could refill their own labs easily. Most corporations however has a few dedicated pilots who do hauling and logistics, and they would benefit if they knew the materials needed by a specific assembly array, rather than specific character. With the information about Industry Facilities now available in the API, we only need to assign tasks to specific facility.

facilitiesWith this information available it’s then quite easy to calculate the materials required in each Lab:

facility-logisticsI’ve done the logistics and hauling recently, and you can believe me, it’s really useful!

What to build to become a real EVE Online industry mogul?

This is a tricky question. Profit on a single item is not enough to make a well informed decision, because some items, while profitable at single unit level, don’t sell very well. Other items have smaller margins, but because of their high sales volume, they give much higher profit. So what should you build? LMeve comes to the rescue.

profit-explorer

Under Database you can now find Profit Explorer and Profit Chart. The first one is very similar to normal Item database view, but it also calculates manufacturing cost and compares them with market prices. Please note that:

a) items must have their prices tracked (you must turn on “Fetch Prices” in Database for each item and each material; only minerals are turned on by default after LMeve installation)

b) items must have a bleuprint (so they can be built and their manufacturing cost can be calculated)

That’s all for today!

You can download the latest LMeve version from GitHub.